Attackers could gain full control over passenger bookings, cancel flights, and steal sensitive information with leaked booking codes.

While waiting for my flight to begin boarding at a European airport recently, I noticed that one of the screens at the gate showed a timed-out web browser window. Being curious and more than a little bored, I opened the IP address displayed on the screen on my smartphone expecting it to be unreachable from the internet. However, to my surprise I was greeted by the familiar screen used to announce information about the next flight leaving a particular gate. The website also had a full listing of all gates operated by the airline across a handful of airports.

While knowing which flights are about to leave from which gate is useful, it’s no big secret. This information can be viewed by anyone on the airport’s departure page as well as through a multitude of smartphone apps. What was worrying was that I also found debug information containing data which could be used to hack into passenger accounts.

Debug information reveals passenger name records

On the public-facing server there was one page that immediately caught my eye. For each gate, there was a debug page available. The page listed all database fields with information available about the next flight. One of the queried tables was for passengers on the standby list. Various information about these passengers was listed including their complete booking reference codes, also known as passenger name record (PNR) locators. These six-digit alphanumeric codes, used in the databases of airline computer reservation systems (CRS), are a vital part of every travel booking.

Most airlines treat the PNR code as an authentication token that acts like a password, a password that is unfortunately widely shared in cleartext. Having this code and the last name of the traveler is all that is needed to access passenger bookings.

In this particular case the last names were shortened to three-to-five characters, probably in order to provide some privacy when displayed on the official screen. However, guessing a last name when you already have up to five characters could be relatively easy. And for common short names such as Koch, Beck, or West, no guessing is necessary as the full name is revealed completely.

Consequently, anybody that knew about this publicly accessible server could view passenger PNR codes and guess the last names. If a criminal got their hands on this information it could seriously ruin someone’s holiday.

Figure 1. Shortened last names of passengers along with seat assignments and PNR locator codes

Access to everything

A passenger’s last name and their PNR locator code is all that is needed to access a booking. Once logged in, an attacker can see details about the flight and all other passengers on the same booking. This includes full names and often email addresses, telephone numbers, frequent flyer numbers, postal addresses and, for intercontinental flights, passport details and dates of birth. With most airlines, having the PNR code and passenger’s last name means an attacker can cancel the flight, rebook it for another date, or change customer details in their frequent flyer account. Basically, an attacker could gain full control over passenger bookings and have access to a lot of sensitive information that could also be used to carry out identity theft and phishing attacks.

Figure 2. Attackers can gain full control over passenger bookings and access a wealth of sensitive information

And there are more ways to get PNR codes

My boredom found just one way PNR codes can fall into the hands of criminals. But recently there has been a lot of discussion around breaching the security of travel booking systems. The fact that you should not post boarding passes and luggage tags on social networks, as they contain all the information needed to access a booking, has already been reported by Brian Krebs and others. Sadly some people continue to do this, leaving them at risk and open to attacks.

Last month, security researchers Karstein Nohl and Nemanja Nikodejevic demonstrated that the PNR code itself can be brute forced with just a few dozen cloud instances. This is made even easier by the fact that some of the global booking systems assign these codes sequentially.

Other airline passenger attack methods

Airlines, like many other businesses, are vulnerable to social engineering attacks, and there have been reports of attackers using just a name and flight number to acquire PNR codes. Brute-force attacks are common in the travel industry also and have been used to attack loyalty club accounts and frequent flyer passes for many years. Often these accounts are only protected by short numeric PIN codes which are easy to brute force. Points and miles are transferred to new owners or sold on underground forums for as little as US$5 per 10,000 miles. These loyalty accounts often grant full access to any open bookings as well.

Figure 3. Stolen frequent flyer miles for sale on underground forums for as little as US$5 per 10,000 miles

Securing travel booking is no easy task

I reported the issue I discovered to the relative operator and the issue has been fixed. I also raised my concern over brute-force attacks and suggested using CAPTCHAs, requesting additional information such as passengers’ first names, and rate limiting per IP address.

Fixing the security weaknesses of travel booking systems is no easy task as the global booking systems are heavily interconnected and dependent on each other. In light of the new and soon to be applied General Data Protection Regulation (GDPR) in Europe, the topic of data protection is set to gain more traction in the future. Hopefully, for travelers everywhere, this will compel businesses to put more effort into protecting their customers’ personal data.